CPA Firm Data Security and Client Privacy: GLBA Compliance, Encryption, and Written Security Plans

The Quick Answer

A solo CPA firm's minimum viable data security posture includes: (1) A written information security plan (WISP) — required by the IRS and FTC Safeguards Rule, even for one-person firms; (2) Multi-factor authentication (MFA) on every professional account — email, tax software, practice management, cloud storage; (3) Encrypted client document storage and transmission — through a dedicated secure client portal like TaxDome or SmartVault, not personal email or consumer Dropbox; (4) Encrypted laptop storage (BitLocker on Windows, FileVault on macOS); (5) Secure Wi-Fi network for all client work — never prepare tax returns on public Wi-Fi without a VPN. Total cost: $0–$200/year for the security measures themselves. The cost of a breach is orders of magnitude higher — the average data breach in professional services costs $150,000–$400,000 in notification, remediation, and legal fees.

GLBA and the FTC Safeguards Rule: What CPAs Are Required to Do

The Gramm-Leach-Bliley Act (GLBA) classifies tax preparers and CPA firms as 'financial institutions' subject to its data security requirements. The FTC's Safeguards Rule, significantly strengthened in June 2023, requires CPA firms to implement nine specific categories of safeguards: (1) A qualified individual designated as responsible for your information security program (for a solo firm, this is you); (2) A written risk assessment identifying risks to client information; (3) Access controls — only people who need client information to do their job should have access; (4) Encryption of client information in transit and at rest; (5) Multi-factor authentication for anyone accessing client information; (6) Secure development of apps or systems used in your firm; (7) Change management procedures (testing software changes before deployment); (8) Monitoring and testing your security program; (9) A written incident response plan for data breaches. Small CPA firms with fewer than five employees are subject to a slightly simplified version of the Safeguards Rule — they must complete a written risk assessment and the nine safeguard elements, but with less prescriptive documentation requirements. The FTC actively enforces the Safeguards Rule; penalties for non-compliant financial institutions include fines up to $100,000 per violation and individual liability for officers.

Writing Your Firm's Information Security Plan (WISP)

The IRS requires every tax preparer to maintain a Written Information Security Plan (WISP) under the IRS Safeguards Program. The WISP doesn't need to be elaborate for a solo firm — a well-organized three-to-five-page document is sufficient. Your WISP should include: (1) Firm overview: firm name, EIN, designated security officer (you), date last reviewed; (2) Risk assessment: list of client data types stored (SSNs, financial statements, tax returns), storage locations (TaxDome, laptop hard drive, Google Drive), and potential threats (phishing attacks, stolen laptop, malware); (3) Access controls: who has access to each data system and how access is managed; (4) Security measures: encryption settings, MFA implementation, password policy, Wi-Fi security; (5) Vendor management: list of third-party vendors who access client data (TaxDome, Drake Tax, Gusto) and confirmation they have their own security programs; (6) Incident response plan: step-by-step actions if a breach occurs — notify affected clients within 30 days (IRS requires notification), report to appropriate authorities, assess scope; (7) Employee security training: annual review of security practices (for a solo firm, this is your own annual self-audit). The IRS publishes a free WISP template for tax preparers at irs.gov/privacy-disclosure/safeguards-program — download it, customize it for your firm, and review it annually. Keep a signed and dated copy in your firm's records.

Multi-Factor Authentication Setup for CPA Firms

Multi-factor authentication (MFA) — requiring a second verification step beyond your password — is the single most effective measure against the most common security threat: compromised passwords. Enable MFA on every professional system: email (Gmail MFA through Google Authenticator app or hardware key; Outlook MFA through Microsoft Authenticator), tax software (Drake Tax, Lacerte, and ProSeries all support MFA — enable it in account settings), practice management (TaxDome and Karbon both support MFA — enable for all users), QuickBooks Online Accountant (MFA available and strongly recommended since QBOA provides access to all client files), IRS e-Services account (requires identity verification and MFA through ID.me), and all cloud storage. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) rather than SMS-based MFA where possible — SMS codes can be intercepted through SIM-swapping attacks. Hardware security keys (YubiKey, $25–$50 at amazon.com) provide the strongest MFA protection for your most sensitive accounts (IRS e-Services, tax software administrator accounts). Store backup MFA codes in an encrypted password manager (1Password at $3/month or Bitwarden at $1/month) — you'll need these if your phone is lost or damaged.

Secure Client Document Exchange: Platforms and Protocols

The most common data security failure for solo CPA firms is using personal email or consumer cloud storage (personal Gmail, personal Dropbox) to exchange client documents. Both platforms lack the audit trails, access controls, and encryption standards that GLBA and professional liability insurers require. Required: a dedicated secure client portal for all document exchange. Purpose-built platforms for CPA firms: TaxDome — AES-256 encrypted document storage, access logs, and a client portal with bank-level security. $600/year includes unlimited client storage and secure messaging. SmartVault — SOC 2 Type II certified document storage with CPA-specific folder structures and direct tax software integration. $65–$80/month. ShareFile (Citrix) — enterprise-grade encrypted file sharing with detailed audit trails and time-limited document access. $50/month. Never email completed tax returns as attachments to standard email — email is not encrypted end-to-end unless both parties use S/MIME or PGP. If a client insists on email delivery, use a password-protected PDF (set the password in your tax software's print settings) and send the password in a separate message. Document your secure delivery policy in your engagement letter and client onboarding materials.

Responding to a Data Breach: IRS and Client Notification Requirements

Despite your best security measures, breaches can occur. Your incident response plan should be written in advance so you're not making critical decisions under stress when a breach happens. IRS breach notification: if you experience a data breach involving client tax information, contact the IRS immediately by calling the IRS Taxpayer Protection Program (1-800-908-4490) and your state's tax agency. The IRS will assign a Technical Coordinator to help you assess the scope and notify affected clients. The IRS requires notification within a reasonable time — in practice, notify the IRS within 24 hours of discovering a breach. Client notification: under most state breach notification laws, you must notify affected clients in writing within 30–60 days (the timeframe varies by state). Your notification must describe what data was compromised, when the breach occurred, what steps you're taking to remediate, and what clients should do to protect themselves (credit freeze, IRS Identity Protection PIN request). State attorney general offices typically require breach notification for breaches affecting state residents — check your state's breach notification statute for specific requirements. Professional liability insurance from CAMICO covers some data breach defense and notification costs — review your policy's data breach coverage provisions and purchase a cyber liability endorsement if not included.

Physical Security for Home-Based CPA Firm Operations

Virtual CPA firms introduce physical security considerations that office-based practices handle through building access controls. For home-based practices: (1) Lock your laptop when leaving your home office, even briefly — a stolen laptop is a breach notification event if client data is stored locally without encryption; (2) Use a dedicated, password-protected work laptop that never logs into personal social media, gaming, or entertainment accounts — personal browsing is a primary malware vector; (3) Store printed tax returns, client documents, and engagement letters in a locked filing cabinet — required by most state boards for document retention (typically 5–7 years for tax records); (4) Shred all client document waste with a micro-cut shredder ($80–$150 at Staples) — standard strip-cut shredders can be reassembled; (5) Secure your home Wi-Fi with WPA3 encryption and a separate guest network for any non-work devices; (6) Use a VPN (NordVPN or ExpressVPN at $4–$8/month) any time you work from a non-home network — coffee shops, airport lounges, and co-working spaces all have shared Wi-Fi vulnerable to interception. Include these physical security measures in your WISP as documented safeguards.

RECOMMENDED TOOLS

Some links above are affiliate links. We may earn a commission if you sign up — at no extra cost to you.

FREQUENTLY ASKED QUESTIONS